b'\x0cFY 2009 OFFICE OF INSPECTOR GENERAL\n   AUDIT OF THE E2 TRAVEL SYSTEM\n         SECURITY CONTROLS\n  REPORT NUMBER A080180/B/T/F09008\n\n\n            August 7, 2009\n\x0c\x0c\x0c                                         FY 2009 OFFICE OF INSPECTOR GENERAL\n                                            AUDIT OF THE E2 TRAVEL SYSTEM\n                                                  SECURITY CONTROLS\n                                           REPORT NUMBER A080180/B/T/F09008\n\n                                                             TABLE OF CONTENTS\n\n                                                                                                                                                                 PAGE\n\nEXECUTIVE SUMMARY ............................................................................................................. i\n\n  Purpose ......................................................................................................................................... i\n\n  Background................................................................................................................................... i\n\n  Results in Brief ............................................................................................................................ ii\n\n  Recommendations ...................................................................................................................... iii\n\n  Management Comments ............................................................................................................. iii\n\nINTRODUCTION .......................................................................................................................... 1\n\nRESULTS OF AUDIT.................................................................................................................... 3\n\n  Management Controls...................................................................................................................4\n        Certification and Accreditation Completed for E2 Did Not Consider Controls for and Risks with GSA\xe2\x80\x99s\n        Specific IT Systems Environment ..................................................................................................................... 4\n\n        Additional Actions Are Needed to Establish Required System Interconnection Agreements ........................... 5\n\n  Operational Controls.....................................................................................................................6\n        Providing Contractors with Full System Access Prior to Successful Completion of Background\n        Investigations Increases Risk to the System ...................................................................................................... 6\n\n        Improvements to Verify Security Awareness Training for Contractor Personnel Are Needed ......................... 7\n\n  Technical Controls........................................................................................................................7\n        Implementing Two-Factor Authentication Would More Securely Authenticate Users to the System to Better\n        Protect GSA Employee Travel and Financial Information ................................................................................ 8\n\n        Access to Procedures for Privileged Users Are Not Restricted to Those with a Need-to-Know ....................... 8\n\n        Prompt Remediation of Configuration Management Vulnerabilities Could Reduce Risks from Known\n        Vulnerabilities ................................................................................................................................................... 9\n\n        GSA Should Specify if Approved Domain Is Required for Accessing E2 ...................................................... 10\n\x0c     Use of Secure Government E-mail Accounts When Resetting E2 User Passwords Could Reduce System\n     Risks ................................................................................................................................................................ 10\n\n  Next Steps ............................................................................................................................................................ 11\n\nCONCLUSIONS ........................................................................................................................12\n\nRECOMMENDATIONS............................................................................................................12\n\nMANAGEMENT COMMENTS ................................................................................................13\n\nINTERNAL CONTROLS ..........................................................................................................14\n\nAPPENDIX A \xe2\x80\x93 OBJECTIVE, SCOPE, AND METHODOLOGY ....................................... A-1\n\nAPPENDIX B \xe2\x80\x93 SECURITY ROLES AND RESPONSIBILITIES RELATED TO GSA\xe2\x80\x99S\nIMPLEMENTATION OF E2 ...................................................................................................B-1\n\nAPPENDIX C - GSA-OIG E2 FISMA AUDIT PRELIMINARY OBSERVATIONS ...........C-1\n\nAPPENDIX D \xe2\x80\x93 E2 SYSTEM INTERCONNECTIONS ....................................................... D-1\n\nAPPENDIX E \xe2\x80\x93 DATABASE SECURITY RESULTS ........................................................... E-1\n\nAPPENDIX F \xe2\x80\x93 NETWORK SECURITY RESULTS ............................................................ F-1\n\nAPPENDIX G \xe2\x80\x93 MANAGEMENT COMMENTS ................................................................. G-1\n\nAPPENDIX H \xe2\x80\x93 REPORT DISTRIBUTION ......................................................................... H-1\xc2\xa0\n\x0c                            FY 2009 OFFICE OF INSPECTOR GENERAL\n                               AUDIT OF THE E2 TRAVEL SYSTEM\n                                     SECURITY CONTROLS\n                              REPORT NUMBER A080180/B/T/F09008\n\n                                        EXECUTIVE SUMMARY\n\nPurpose\n\nIn December 2006, the General Services Administration (GSA) implemented E2 Solutions (E2),\nan operational system that is maintained for agencies by a Federal contractor, to provide for its\ntravel management needs. The system currently processes approximately 36,000 temporary duty\nand local travel vouchers per year covering $28.2 million in travel expenses for GSA travelers.\nE2 is a moderate risk 1 Privacy Act System of Record 2 that contains personally identifiable\ninformation (PII) as well as financial and travel data. The E2 system is included in GSA\xe2\x80\x99s\nFederal Information Security Management Act of 2002 (FISMA) inventory maintained by the\nGSA-Chief Information Officer (CIO), and will be included in our Fiscal Year (FY) 2009\nFISMA report The objective of this information security review of E2 was to determine if GSA\nhas implemented management, operational, and technical security controls to effectively manage\nrisks inherent with a travel and financial management system which holds PII in accordance with\nFISMA and the Agency\xe2\x80\x99s Information Technology (IT) Security Program. If not, what\nadditional actions are needed to better manage IT security risks for the system? Appendix A\nprovides our objective, scope, and methodology for the audit.\n\nBackground\n\nExpanding Electronic Government (e-Gov) is one of the key elements of the President\xe2\x80\x99s\nManagement Agenda (PMA) initiated by President George W. Bush in July 2001. The e-Gov\ninitiative goals include more results-oriented, efficient, and citizen-centered processes for the\nFederal government. GSA is the managing partner for the e-Gov Travel Service (ETS) initiative,\none of the 24 initiatives included in the PMA. The ETS was launched in April 2002 to meet the\ngoals of the PMA. It is a Government-wide, web-based service intended to provide travel\nmanagement practices to consolidate Federal travel, minimize cost, and produce superior\ncustomer satisfaction. Goals for ETS include developing a Government-wide, web based, world-\nclass travel management service; establishing a cost model that reduces or eliminates capital\ninvestment and minimizes total cost per transaction for the government; and creating a policy\nenvironment based on the use of best travel management policies.\n\n\n\n\n1\n  Federal Information Processing Standards (FIPS) Publication (PUB) 199, Standards for Security Categorization of\nFederal Information and Information Systems, February 2004, requires Federal agencies to classify their information\nsystems into one of three risk levels: low, moderate, or high. GSA\xe2\x80\x99s designation of E2 as moderate risk means that\nthe Agency has made a determination that the loss of system confidentiality, integrity, or availability could be\nexpected to have a serious effect on organizational operations, organizational assets, or individuals.\n2\n  A Privacy Act System of Record is a system containing information that is retrieved by an individual\xe2\x80\x99s name or\nother unique identifier assigned to the individual. This information is protected under the Privacy Act of 1974.\n\n\n                                                         i\n\x0cIn November 2003, the GSA Federal Acquisition Service (FAS) Program Management Office\n(PMO) awarded three competitively bid contracts to vendors to implement the ETS and provide\nfor web-based, travel management services for the Federal government until 2013. The master\ncontract with Carlson Wagonlit Government Travel (CWGT) was for use of its E2 Solutions\n(E2), one of the three systems offered under the ETS initiative. Under this contract, the GSA\nChief Financial Officer (CFO) selected E2 to provide for travel management services for GSA\nAssociates. The FAS-PMO subsequently issued a task order to CWGT in January 2005 to\nimplement E2 within GSA.\n\nThe FAS-PMO is responsible for ensuring FISMA requirements, including policies and\nprocedures established with the GSA IT Security Program, have been implemented for the\nGovernment-wide E2 system. Within GSA, the OCFO is responsible for ensuring the\nimplementation of adequate security controls for its specific implementation of E2. CWGT is\nresponsible for providing adequate physical security for both the major application (E2\nSolutions) and the general support system that hosts it and for providing disaster recovery\nservices. A diagram of roles and responsibilities related to the security portion of GSA\xe2\x80\x99s\nimplementation of E2 is provided in Appendix B.\n\nResults in Brief\n\nThe GSA-OCFO, with assistance from the FAS-PMO, has applied many of the security\nmeasures required by GSA\xe2\x80\x99s IT Security Program with the Agency\xe2\x80\x99s implementation of the E2\nsystem. Our testing for 99 of 171 required baseline security controls found no reportable\nconditions for 88 controls. However, specific management, operational, and technical controls\nrequired with FISMA should be strengthened to ensure that sensitive financial and travel\ninformation is adequately safeguarded and the confidentiality, integrity, and availability of the\nE2 system is maintained. Opportunities exist to strengthen certification and accreditation (C&A)\nand risk management processes by addressing not only the Government-wide solution but also\nrisks and vulnerabilities specific to GSA\xe2\x80\x99s IT systems environment. This would better enable\nGSA to mitigate threats that could lead to system exploits and to protect sensitive information.\nWe also found the opportunity to improve GSA\xe2\x80\x99s ability to effectively prevent, detect, and\nrecover from an attack by ensuring that agreements have been developed for each\ninterconnection with E2. Contractor oversight can also be improved by ensuring that required\npersonnel background investigations are completed and security awareness training is taken prior\nto providing contractors with full system access. Further, actions should be taken to strengthen\nsystem security by implementing two-factor authentication for user access to E2 and by\nrestricting access to privileged procedures and user training materials to those with a need-to-\nknow. Additional improvements can also be made to strengthen system security by assessing\nwhether use of secure e-mail addresses for resetting user account passwords and whether use of\nan official approved web domain for accessing the system is needed. Opportunities also exist to\nstrengthen configuration management processes for E2 by addressing identified technical\nweaknesses with system databases and device configurations. This would provide extra\nprotection for the system and its sensitive information.\n\n\n\n\n                                               ii\n\x0cRecommendations\n\nTo better manage IT security risks with the GSA implementation of E2 and ensure the\nconfidentiality, integrity and availability of this system and the data it maintains, we recommend\nthat the Office of the Chief Financial Officer (OCFO) work with the Federal Acquisition Service\n(FAS) Program Management Office (PMO) and the Office of the Chief Information Officer\n(OCIO), to take actions to strengthen:\n\n   1. Management controls by:\n\n   a) Ensuring that controls for and risks with GSA\xe2\x80\x99s implementation of E2, specific to the\n      GSA IT systems environment, have been adequately addressed.\n   b) Establishing a Memorandum of Understanding (MOU) and Interconnection Security\n      Agreement (ISA) for the E2 interconnection with the Global Distribution System (GDS).\n\n   2. Operational controls by:\n\n   a) Obtaining assurance that an adequate process is in place and being used to effectively\n      track the completion of background investigations and annual security awareness training\n      prior to providing contractors with full access to GSA data.\n\n   3. Technical controls by:\n\n   a) Identifying those users with privileged access and expedite implementation of two-factor\n      authentication for those users.\n   b) Restricting access to privileged procedures to those with a need-to-know.\n   c) Ensuring that GSA-Chief Information Officer (CIO) hardening guides are applied.\n   d) Disabling unnecessary functionality to eliminate the threat posed by providing non-\n      essential services and ensuring that software running on the networked servers is properly\n      patched to their most recent versions.\n   e) Determining whether a .com domain is necessary for the proper performance of the\n      operation of the E2 Solutions (E2) travel system, or whether an approved web domain,\n      such as .gov, .mil, or .Fed.us should be used.\n   f) Developing IT Security procedures to restrict the transmission of sensitive information,\n      including password resets, to government e-mail addresses.\n\nManagement Comments\n\nOur recommendations are directed to the GSA-CFO and focus on specific improvements for\nmanagement, operational, and technical controls needed to strengthen security for GSA\xe2\x80\x99s\nimplementation of the e-Government Travel Services E2 Solutions system. The CFO generally\nagrees with our findings and recommendations, and a copy of the written management response\nto our draft report is provided in Appendix G. Included in the management comments are views\nfrom the FAS-PMO, who has responsibilities for ensuring that FISMA requirements are met for\nthe government-wide E2 Solutions also offered by GSA to other Federal agencies. As discussed\nin our report, the GSA Office of the CFO is responsible for ensuring the implementation of\n\n\n\n                                               iii\n\x0cadequate security controls for the Agency\xe2\x80\x99s implementation of the e-Government Travel\nServices E2 Solutions system as GSA\xe2\x80\x99s official travel management solution. With this FISMA\nsecurity audit, we also considered the key role of the GSA Senior Agency Information Security\nOfficer who is responsible, within the GSA IT Security Program, for ensuring that systems that\nhold Federal data comply with all FISMA requirements and that controls for these systems are\nrisk-based and within reasonable cost for the benefit provided. Our position, as noted throughout\nthe report, is that GSA\xe2\x80\x99s IT Security Program should ensure that risks are being managed with\nGSA e-Government systems, including this e-Government Travel Services E2 Solutions system.\nWhile some issues raised may require specific actions from the FAS-PMO for the government-\nwide e-Travel solution, our audit did not include a focused assessment of government-wide\nsecurity requirements for e-Government systems or full capabilities of the broader e-Government\nTravel Services E2 Solutions system offered by the FAS-PMO. Included in the CFO\xe2\x80\x99s\ncomments to our draft report is a response from the FAS-PMO that indicates disagreement\nrelated to two of our recommendations to the GSA-CFO.\n\n\n\n\n                                               iv\n\x0c                            FY 2009 OFFICE OF INSPECTOR GENERAL\n                               AUDIT OF THE E2 TRAVEL SYSTEM\n                                     SECURITY CONTROLS\n                              REPORT NUMBER A080180/B/T/F09008\n\n                                            INTRODUCTION\n\nThe Federal Information Security Management Act of 2002 (FISMA) provides a framework for\nensuring the effectiveness of information security controls over information resources that\nsupport Federal operations and resources. It also includes for a mechanism to provide oversight\nof Federal agency information security programs. FISMA directs Inspectors General to perform\nan annual independent evaluation of their respective agency\xe2\x80\x99s information security program and\ncontrols for select systems. This report presents the results of our assessment of select\nmanagement, operational, and technical security controls required by FISMA for the E2\nSolutions (E2) system. Appendix A provides our objective, scope, and methodology for the\naudit.\n\nE2 is a financial management Privacy Act System of Record 3 that is operated and maintained by\nCarlson Wagonlit Government Travel (CWGT). It is one of three systems that the General\nServices Administration (GSA) Federal Acquisition Service (FAS) Program Management Office\n(PMO) offers for e-Gov Travel Service (ETS) and is designated by the Agency as \xe2\x80\x9cmoderate\nrisk 4 .\xe2\x80\x9d In January 2005, the GSA Office of the Chief Financial Officer (OCFO) selected E2 as\nthe e-Travel system to provide travel services for the Agency. GSA implemented E2 in\nDecember 2006. GSA travelers can access E2 directly from the Internet, or from behind GSA\xe2\x80\x99s\nnetwork firewall. E2 processes sensitive but unclassified information, including personally\nidentifiable information (PII), financial data, credit card information, and transaction amounts.\nGSA introduced miscellaneous reimbursement capabilities through E2 that are not associated\nwith official travel in October 2008. For GSA\xe2\x80\x99s implementation of E2, the OCFO is responsible\nfor managing user accounts, including authorizing system access and approval routing, and for\nimplementing appropriate Agency travel policy. The FAS is responsible for working with\nCWGT to make any approved system changes, for ensuring the contractor implements\nappropriate security controls, and for managing the master contact with the ETS vendors.\n\nIn January 2006, the GSA Office of the Inspector General (OIG) Information Technology (IT)\nAudit Office issued a letter report 5 that conveyed the results of our assessment of select\ninformation security controls for E2 during Fiscal Year (FY) 2005. At that time, we found that\nsteps taken to implement GSA\xe2\x80\x99s IT Security Program and FISMA requirements for E2 were not\nalways consistent with Agency policy and National Institute of Standards and Technology\n(NIST) guidance. Specifically, required security controls and rules of behavior for third party\nsystem interconnections had not been included in the system security plan or authorized as part\nof the system Certification and Accreditation (C&A), and the system Plan of Action and\n3\n  A Privacy Act System of Record is a system containing information that is retrieved by an individual\xe2\x80\x99s name or\nother unique identifier assigned to the individual. This information is protected under the Privacy Act of 1974.\n4\n  For more information on system risk levels, refer to FIPS PUB 199, Standards for Security Categorization of\nFederal Information and Information Systems, February 2004.\n5\n  FY 2005 Office of Inspector General Information Security Analysis of the Carlson Wagonlit eTravel System,\nReport Number A050183/O/T/F06005, January 19, 2006.\n\n\n                                                       1\n\x0cMilestones (POA&M) did not include all known security weaknesses identified in the risk\nassessment, security plan, and contingency plan test. We also reported that, while background\nchecks had been initiated for CWGT contractors supporting the system, those checks were not\nalways in line with GSA\xe2\x80\x99s IT Security Policy. Vulnerability scanning conducted during our\nprevious audit also identified specific system security weaknesses that required actions to\nstrengthen system security.\n\n\n\n\n                                             2\n\x0c                                     RESULTS OF AUDIT\n\nThe General Services Administration (GSA) Office of the Chief Financial Officer (OCFO), with\nthe assistance of the Federal Acquisition Service (FAS) Program Management Office (PMO),\nhas applied many of the management, operational, and technical controls required by the Federal\nInformation Security Management Act of 2002 (FISMA) and the GSA Information Technology\n(IT) Security Program for the E2 Solutions (E2) system. We tested 99 of 171 required baseline\nsecurity controls and found no reportable conditions for 88 controls. See Appendix C for a\ndetailed listing of the security controls tested. We have identified improvements that are needed\nto enhance risk management practices and provide improved security for GSA\xe2\x80\x99s implementation\nof the E2 system.\n\nRisk management practices for E2 can be improved by strengthening management controls\nrequired for and risks specific to GSA\xe2\x80\x99s implementation of the system. Management controls\ncan also be improved by ensuring that all needed risk assessment components, including threat\nidentification and threat likelihood levels, are assessed. This could ensure that potential threats\nare addressed and reduce the likelihood that the system is exploited. Establishing agreements for\na group of external systems that interface with E2 would better assist GSA with defining\nresponsibilities for and coordinating actions in the event of a security incident. We also found\nthat improvements can be made to enhance operational controls for GSA\xe2\x80\x99s implementation of\nE2. For instance, contractors are being provided full system access prior to the successful\ncompletion of background investigations and security awareness training. Opportunities also\nexist to improve technical controls for GSA\xe2\x80\x99s implementation of E2, such as implementing two-\nfactor authentication for user access to the E2 system to more securely authenticate users to\nbetter protect GSA travel information and restricting access to privileged information to those\nwith a need-to-know. Additional technical control improvements can be made to strengthen\nsystem security, including assessing whether use of an approved web domain should be required\nfor accessing E2 and whether use of a secure e-mail address for account password reset is\nneeded. Configuration management vulnerabilities that could affect the confidentiality, integrity,\nand availability of GSA\'s data were also identified. Technical weaknesses with the system\ndatabase and device configuration demonstrate the need to strengthen configuration management\npractices to provide additional protection for the system and its sensitive data, including applying\ncritical patches to the E2 servers. Throughout our audit we have kept E2 system security\nofficials informed of our security control test results, and system security officials have either\ntaken or informed us that they plan to take actions to mitigate risks related to several\nvulnerabilities identified in our testing. For example, system security officials are taking actions\nto enhance the security posture of E2 by disabling non-essential web server functionality,\napplying appropriate patches, securing account log-in procedures, and planning to review its\npassword policy. Given the importance of this system and the travel and financial information it\nmaintains, the OCFO and FAS-PMO should take additional steps to strengthen management,\noperational, and technical controls, to better manage risks with this important system.\n\n\n\n\n                                                 3\n\x0cManagement Controls\n\nManagement security controls consist of safeguards or countermeasures that focus on the\nmanagement of risk and information system security and include certification 6 and accreditation7\n(C&A), risk assessment, security planning, and integrating security requirements into system and\nservices acquisition processes. The OCFO and FAS-PMO have applied many of the\nmanagement controls required with FISMA for E2 (see Appendix C). However, we found the\nneed to strengthen specific controls to ensure that risks were being managed for GSA\xe2\x80\x99s\nimplementation of E2. The certification and accreditation (C&A) completed for E2 was for the\nGovernment-wide solution offered to any Federal agency and did not include controls\nimplemented for or risks with GSA\xe2\x80\x99s implementation of E2, specific to the GSA IT systems\nenvironment. By not assessing controls for specific risks with GSA\xe2\x80\x99s implementation of E2,\nthreats may not be properly identified, prioritized, and mitigated, possibly leaving the Agency\nwithout necessary compensating controls in place to reduce the likelihood of system exploits.\nWe also identified one instance where E2 did not have needed agreements to specify\nresponsibilities and controls for establishing, operating, and securing a system interconnection.\nSpecific controls should be identified and stipulated to help prevent, detect, and deter from\npotential system security breaches.\n\nCertification and Accreditation Completed for E2 Did Not Consider Controls for and Risks with\nGSA\xe2\x80\x99s Specific IT Systems Environment\n\nA C&A was completed for the CWGT Government-wide E2 system solution that considered the\ncomplete array of security controls that are available to any Federal agency. Under the ETS\ninitiative, Federal agencies first select one of the three systems available and then decide which\nfeatures to implement from the overall solution offered by the vendor. We found that GSA has\nnot yet documented the specific controls for the Agency\xe2\x80\x99s implementation of E2, and therefore,\nhas not considered unique threats for GSA\xe2\x80\x99s operational environment. While some steps have\nbeen undertaken to assess risks for GSA\xe2\x80\x99s implementation of E2, specific actions are needed to\nstrengthen the security posture of the system and ensure that risks within GSA\xe2\x80\x99s IT systems\nenvironment are adequately prioritized and mitigated to better protect sensitive data and\ntransactions.\n\nFISMA requires the head of each agency to provide information security protections\ncommensurate with the risk and magnitude of the harm resulting from unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information collected or maintained by or\non behalf of the agency. It also requires this to be done for information systems used or operated\nby an agency or by a contractor of an agency or other organization on behalf of an agency. GSA\ninformation systems are required to be certified and accredited in accordance with National\nInstitute of Standards and Technologies (NIST) Special Publication (SP) 800-53, NIST SP 800-\n37, and the GSA Information Technology (IT) Security Policy. An Authorizing Official (AO) is\nrequired to authorize, in writing, information systems before they go into operation, accept any\n\n6\n  Certification refers to the process utilized to determine the extent to which controls are implemented correctly and\noperating as intended.\n7\n  Accreditation is the official management decision to authorize operation of an information system and to explicitly\naccept the risk to agency operations, assets, or individuals based upon the implementation of controls.\n\n\n                                                          4\n\x0cidentified and unmitigated risks, and identify any deviations from the GSA IT Security Policy.\nThese unmitigated risks and deviations from the IT Security Policy are known as residual risks.\n\nSystem security documentation for E2 included information on baseline security requirements\nand system categorization but did not address system boundaries or threat identification, which\nwould identify all potential threats to the system. Additionally, an e-authentication risk\nassessment, which included risk tolerance criteria, a risk transaction summary, and risk analysis,\nwas performed in September 2004. However, these risk management actions are not sufficient\nbecause vulnerabilities or risks specific to GSA\xe2\x80\x99s implementation of E2 have not been identified.\nRisks must be assessed with the certification and accreditation for GSA\xe2\x80\x99s systems to ensure that\nsecurity controls addressing associated risks have been appropriately implemented. Unidentified\nthreats can lead to system exploits, leaving GSA\xe2\x80\x99s data at risk.\n\nGSA security guidance on mitigating risk describes the key activities in managing enterprise-\nlevel risk for GSA\xe2\x80\x99s IT systems to ensure controls are implemented correctly and operating as\nintended. By relying solely on the C&A conducted on the Government-wide solution, GSA has\nnot identified any unmitigated risks or deviations from the Agency\xe2\x80\x99s IT Security Policy, such as\nnot having implemented two-factor authentication and not having written management\nauthorization for every system interconnection. A consolidated C&A has benefits, including\nreducing Federal agency resources to document and assess the effectiveness of security controls\ngeneric to the E2 Government-wide solution. However, it is important to ensure that the controls\nfor and risks with E2, as implemented within GSA\xe2\x80\x99s IT systems environment, have been\naddressed to evaluate risks specific to GSA and determine an overall level of risk the Agency is\nwilling to accept. Reconsidering specific residual risks with E2 operations could also guide GSA\nin implementing compensating controls that may be needed to protect Agency travel and\nfinancial data.\n\nAdditional Actions Are Needed to Establish Required System Interconnection Agreements\n\nInterconnections 8 are used to provide E2 users with travel availability and pricing information.\nThe system feeds financial data captured on travel transactions through an interconnection to the\nAgency financial System of Record, Pegasys. See Appendix D for a diagram of interconnections\nwith E2. E2 relies on the Global Distribution System (GDS), multiple private companies\nproviding specific pricing, scheduling, and transaction information for airlines, hotels, and other\nservices. The GDS is a commercial system that processes sensitive information, including\ncharge card account numbers and other PII. This review identified that an ISA/MOU has not\nbeen established for the interconnection with the GDS.\n\nThe GSA IT Security Policy requires written management authorization based on an acceptable\nlevel of risk before connecting an Agency IT system to other systems. This written authorization\nshould define the rules of behavior and controls that must be maintained for the system\ninterconnection. NIST recommends that information technology (IT) systems should develop an\nInterconnection Security Agreement (ISA) (or an equivalent document) to document the\ntechnical requirements of the interconnection. These agreements help to guide the planning,\n\n8\n NIST defines system interconnection as the direct connection of two or more IT systems for the purpose of sharing\ndata and other information resources.\n\n\n                                                        5\n\x0cestablishment, maintenance, and termination of system interconnections where sensitive data and\ntransactions incur risks. An ISA specifies the technical and security requirements for\nestablishing, operating, and securing an interconnection. An MOU defines the purpose,\nidentifies relevant authorities, specifies responsibilities, and defines the terms of the agreement.\nThe development of these documents represents a proactive approach to security, as system\nmanagement is able to make plans for prevention, deterrence, and detection of attacks rather than\ndelaying decisions or appropriate actions until after a breach of security.\n\nOur January 2006 FISMA letter report on the CWGT E2 Solutions Government-wide system\nidentified that an ISA/MOU was not in place for the E2 interconnection with the GDS. In\nresponse to that report, this finding was listed in the E2 system Plan of Action and Milestones\n(POA&M). While the updated POA&M reports that an ISA/MOU had been developed in June\n2007, our current review found that the ISA/MOU was not yet in place for the E2/GDS\ninterconnection. According to system management, these agreements were not developed\nbecause the GDS rely on commercial legacy systems that are used by travel agencies to make\nreservations for official and leisure travel. Without interconnection agreements in place for GDS\nsystems, the rules for interconnecting systems and for protecting data shared between E2 and\nother feeder systems have not been identified. Consequently, it may be more challenging to\nprevent, deter, detect, and recover from an attack, as notification of the attack may be delayed\nand proper audit trails may not be captured and maintained, as necessary.\n\nOperational Controls\n\nOperational security controls address methods that are primarily implemented by people, as\nopposed to systems, and include measures such as contingency planning, maintenance,\nconfiguration management, awareness and training, incident response, media protection, physical\nand environmental protection, system and information integrity, and personnel security. While\nsecurity officials have implemented many of the operational controls required with FISMA for\nE2 (see Appendix C), we identified opportunities to strengthen operational controls by ensuring\nthat contractor background investigations are completed and security awareness training is\nprovided to contractors prior to providing them with full system access.\n\nProviding Contractors with Full System Access Prior to Successful Completion of Background\nInvestigations Increases Risk to the System\n\nGSA\xe2\x80\x99s IT Security Policy requires that background investigation requirements for access to GSA\ninformation systems, including contractor systems containing GSA information, should be\ncompleted in accordance with the GSA Handbook ADM 9732.1C, Suitability and Personnel\nSecurity. Additionally, contractors working on Federal systems need to have a National Agency\nCheck with Credit Inquiries (NACIC) equivalent or higher background investigation and\nfingerprint checks completed prior to being granted full access to a system. While waiting on the\nbackground investigations, contractors can be given temporary access, limited to a need-to-\nknow, after successful fingerprint checks have been received. The Project Manager and/or\nInformation Systems Security Officer (ISSO) are responsible for identifying all contractors who\nneed background investigations and for ensuring that they are successfully completed prior to\nproviding contractor personnel with full system access. Our review of E2 found that there\n\n\n\n                                                 6\n\x0ccurrently is no confirmation of successful completion of fingerprint checks or proof of\nadjudication and that there is no process in place to ensure that background investigations were\nboth requested and completed. Subsequently, contractors are being provided with full system\naccess prior to having their background investigations completed. \xc2\xa0\n\xc2\xa0\nAccording to system security officials, CWGT conducts employment history, education\nverification, and criminal background checks on employees during the hiring process; however,\nthis does not satisfy GSA\xe2\x80\x99s requirements. Because CWGT contractors were provided full system\naccess prior to the completion of required background investigations, the E2 System is operating\nat greater risk of an insider attack.\n\nImprovements to Verify Security Awareness Training for Contractor Personnel Are Needed\n\nAgencies are required to provide appropriate information system security training to personnel,\nincluding contractors and other users of information systems, prior to allowing them to perform\ntheir assigned duties. Agencies must also document and monitor individual information system\nsecurity training activities, including basic security awareness training and role-based\ninformation system security training. This training is necessary to inform users of information\nsecurity risks associated with their activities as well as their responsibilities in complying with\nAgency policies and procedures designed to reduce these risks. GSA\xe2\x80\x99s IT Security Policy also\nrequires all GSA employees and contractors to complete security awareness and privacy training\nannually to ensure that GSA, other agency, and contractor support staff involved in the\nmanagement, design, development, operation, and use of IT systems are aware of their\nresponsibilities for safeguarding GSA systems and information. While CWGT has implemented\na tracking system to record the details of security training provided to its employees, for the\nsample we tested, CWGT was unable to verify that security awareness training was completed\nfor all contractor personnel with system access. Our analysis of contractor security awareness\ntraining records reflected that processes were not in place to ensure records were properly\nmaintained to verify the status of security awareness training. This has left GSA without\nconfidence that adequate training was completed by CWGT prior to providing its staff with\nsystem access. Completion of GSA\xe2\x80\x99s security awareness training is important to ensure that\neveryone with access to the system knows their responsibilities for complying with Agency\npolicies and procedures and is aware of their responsibilities related to safeguarding the system\nand its sensitive data.\n\nTechnical Controls\n\nTechnical controls focus on security capabilities executed by computer systems and include\naccess controls, audit and accountability, identification and authentication, and system and\ncommunications protection. While the configuration settings control is identified by NIST as an\noperational control, technical control weaknesses we identified were related to configuration\nmanagement, so it is included in this section of the report. Many of the technical controls\nrequired with FISMA have been implemented for E2 (See Appendix C). However, we found\nthat opportunities exist to improve technical controls by implementing two-factor authentication\nand restricting access to privilege procedures to those with a need-to-know. We also identified\nconfiguration weaknesses with the operating system and database, which left system components\n\n\n\n                                                7\n\x0cvulnerable to attacks that could lead to unauthorized access and a compromise of the E2 system.\nAdditionally, security can be strengthened by determining whether use of an approved web\ndomain should be required to access E2 and whether use of a secure e-mail account should be\nrequired to reset user passwords.\n\nImplementing Two-Factor Authentication Would More Securely Authenticate Users to the\nSystem to Better Protect GSA Employee Travel and Financial Information\n\nAuthentication controls are used to verify the identity of a user, process, or device to allow\naccess to resources in an information system. Office of Management and Budget (OMB)\nMemorandum M-07-16 requires that all Federal information systems only allow remote access\nwith two-factor authentication, where one of the factors is provided by a device separate from the\ncomputer gaining access. CWGT began offering two-factor authentication with E2 in September\n2008. At the time of our review, GSA had not yet selected two-factor authentication for its\nimplementation of the E2 system. Currently, E2 users in GSA access the system by using user\nname and password; thus, authentication to the system is done based only on what the user\nknows. GSA\xe2\x80\x99s implementation of E2 does not augment authentication methods using either of\nthe other two factors: (1) what the user has or (2) who the user is. Simple username and\npassword authentication leaves users susceptible to attacks that are preventable with two-factor\nauthentication, such as key stroke logging. One reason for the delay in implementing two-factor\nauthentication for E2 is that the OCFO is waiting on the GSA Agency-wide solution for two-\nfactor authentication. While current plans call for the GSA Chief Information Officer (CIO) to\nroll-out two-factor authentication in September 2009, implementing two-factor authentication\nAgency-wide has been delayed over the past few years. Until two-factor authentication has been\nimplemented, it is easier for an unauthorized user to access, modify or disclose sensitive\ninformation in E2 solutions.\n\nThe FAS-PMO completed an eAuthentication risk assessment for E2, which recommended the\nuse of Level 3 authentication for users with access to or authority over 20 or more user accounts,\nin September 2004. This level of authentication requires two-factor authentication of users with\nthis type of privileged access. System administrators have access to the profiles of other users,\nwhich may contain PII. At a minimum, GSA should expedite implementation of two-factor\nauthentication for E2 users with access to 20 or more user accounts.\n\nAccess to Procedures for Privileged Users Are Not Restricted to Those with a Need-to-Know\n\nWhile authentication controls verify a user\xe2\x80\x99s identity, authorization controls establish what a user\nis authorized to do and what privileges a user should have in an information system. For E2, a\nsystem administrator (depending on his/her level) can manage users, configure major and minor\ncustomer settings and define routing rules and approvers. Our review identified that all system\nusers, through the system help feature, had access to system administrator procedures rather than\nrestricting them to only those with a need-to-know. According to a CWGT official, these\nprocedures were not hidden because the E2 Knowledge Base 9 was deliberately designed to\ncontain all aspects of the system that are available for E2 users and to allow all E2 users this\n\n9\n The Knowledge Base is a database within E2 containing information related to all of the actions that are permitted\nwithin the system.\n\n\n                                                         8\n\x0caccess. The CWGT official also stated that the system administrators\xe2\x80\x99 procedures in the E2\nKnowledge Base were not hidden because only system administrators are able to actually\nperform the functions and because the Knowledge Base does not include procedures for\nperforming Carlson-level system administrator functions, which controls the entire system. We\nalso found that training procedures that include information on privileged system administer\nfunctions were available to those without a need-to-know, as these procedures were posted on\nGSA\xe2\x80\x99s Intranet and were made available to anyone with access to the Intranet, regardless of\nwhether a person is an authorized E2 user. While granting knowledge of how to use E2 is\nnecessary for using the system, by allowing access to privileged system administrators\xe2\x80\x99\nprocedures, a user may use explicit knowledge gained to devise a malicious attack by making\nunauthorized additions, modifications, or deletions to GSA\xe2\x80\x99s E2 data and/or processes.\nSubsequent to discussing our findings with security officials, the OCFO has removed the\nprivileged training procedures from GSA\xe2\x80\x99s Intranet. However, to fully address this weakness,\nGSA should also ensure that access to privileged procedures within the system is restricted to\nthose with a need-to-know.\n\nPrompt Remediation of Configuration Management Vulnerabilities Could Reduce Risks from\nKnown Vulnerabilities\n\nSystem security officials have taken proactive steps to secure E2 system components, such as\nperforming quarterly vulnerability scanning, and tracking and documenting any system changes.\nHowever, insecure configuration settings of system components have placed the confidentiality,\nintegrity, and availability of the E2 system and its data at risk. While our testing did not identify\nany issues with the web application security, we found vulnerabilities with database hardening\nand system device configurations detailed in the sections that follow.\n\nDatabase Security\nGSA\xe2\x80\x99s IT Security Policy requires that all information systems be securely hardened and patched\nbefore being put into operation, and NIST SP 800-53 requires the organization to configure the\nsecurity settings of information technology products to the most restrictive mode consistent with\noperational requirements. Additionally, GSA security guidance requires that the system enforce\ncontrols to ensure that the password for user accounts not be the same value as the username and\nthat information systems should be designed to require passwords to be changed every 90 days.\nWhile E2 databases should have been securely configured to meet these requirements, our testing\nfound two security vulnerabilities, one high level vulnerability and one medium level\nvulnerability, on the E2 Oracle database servers. Specifically, we found Oracle user accounts\nwith the password the same as the user name and Oracle accounts with expired passwords.\nSecurity vulnerabilities found with the E2 databases were due to insufficient oversight of the\ncontractor. Specifically, system security officials noted that the insecure database passwords\nmay have resulted from a password reset by a database administrator. Because weak passwords\nprovide one of the most common methods for gaining unauthorized system access, which could\nlead to a compromise of confidentiality, integrity, and or availability of the travel services\nprovided by GSA\xe2\x80\x99s implementation of E2, the OCFO should work with the FAS-PMO to ensure\nthe database is configured in accordance with GSA security guidance. Additional details of\nconfiguration management vulnerabilities identified with our technical database scanning are\nnoted in Appendix E.\n\n\n\n                                                 9\n\x0cNetwork Security\nAs discussed previously, GSA\xe2\x80\x99s IT Security Policy requires all systems to be securely hardened\nbefore being put into operation. The policy also requires information systems to protect the\nconfidentiality of transmitted sensitive information. Additionally, NIST SP 800-53 requires that\nfederal information systems be securely configured to provide only the essential capabilities\nnecessary to support organizational operations and that the organization promptly install newly\nreleased security updates after testing for adverse effects. Our network-based vulnerability\ntesting identified that system hardening efforts taken by the security officials were not sufficient\nto ensure that all devices were appropriately hardened, as we found two high and two medium\nlevel vulnerabilities on 11 of the 17 system devices tested. Specifically, we identified that all\nunnecessary services had not been removed or turned off and that patches had not been applied\nin a timely manner. Unnecessary services running on the system and untimely patching of\ndevices on the network leave the system vulnerable to denial of service, unauthorized access, and\nremote command execution of vulnerabilities. In order to address identified system device\nsecurity weaknesses, system security officials should strengthen configuration management\nprocesses to ensure that non-essential services are disabled and that the software running on the\nnetworked servers are patched timely. Additional details of configuration management\nvulnerabilities identified with our technical network-based security scanning are noted in\nAppendix F.\n\nGSA Should Specify if Approved Domain Is Required for Accessing E2\n\nUnder FISMA, approved websites with domains that identify government systems, including\n\xe2\x80\x9c.gov\xe2\x80\x9d, \xe2\x80\x9c.mil\xe2\x80\x9d, or \xe2\x80\x9c.Fed.us\xe2\x80\x9d, should be used in performing agency functions to ensure a clear,\nunambiguous public notification of the Agency\xe2\x80\x99s involvement in or sponsorship of the website.\nFISMA and OMB have previously recognized a need to use other domains in certain limited,\napproved circumstances for proper performance of agency functions. GSA is allowing access to\nE2 through a .com website without an explicit written determination by the GSA Administrator\nof the need to use an unapproved domain to perform Agency travel functions, as E2 has been\nviewed as a commercial system and service purchased for government use rather than a\ngovernment system. The efficient, effective, and consistent use of Federal agency public\nwebsites is important to promote a more citizen centered government and to provide added\nconfidence, integrity, and quality to the information provided by Federal agencies over the\nInternet.\xc2\xa0 The use of non-government domains could also increase risks of phishing 10 attacks\nwhere deception is used to play on the public\xe2\x80\x99s trust of the legitimate entity. To mitigate the\nrisks associated with the Agency\xe2\x80\x99s external web presence, GSA should determine whether a\nFederal web domain is necessary for the proper performance of this Agency function. \xc2\xa0\n\nUse of Secure Government E-mail Accounts When Resetting E2 User Passwords Could Reduce\nSystem Risks\n\nAccording to the United States Computer Emergency Readiness Team (US-CERT), users should\nnot use free e-mail service providers when messages may contain sensitive information. Since\n\n10\n  According to US-CERT, the United States Computer Emergency Readiness Team, phishing is the act of stealing\npersonal information via the Internet for the purpose of committing financial fraud.\n\n\n                                                     10\n\x0cusers are not paying for free e-mail accounts, the free e-mail service providers may not have a\nstrong commitment to protecting the user from various threats and the security features they offer\nmight not meet government standards. Our review found that current processes for resetting E2\nuser account passwords leaves the system open to undue risk. When an E2 user needs to reset\ntheir password, they are required to call the E2 Help Desk. However, when calling the Help\nDesk, a user can verbally give the Help Desk operator an e-mail address to have the reset\npassword sent to, even if the e-mail address is not previously identified in the user\xe2\x80\x99s profile.\nAdditionally, with GSA\xe2\x80\x99s implementation of E2, users are permitted to modify the primary e-\nmail address from their GSA e-mail address to an address provided by a free e-mail service, such\nas Yahoo!, Hotmail, or Gmail. The password reset e-mail provides a link to re-establish the\nuser\xe2\x80\x99s security profile and requests that the user respond to two security questions, as long as the\nuser has set up the security questions as part of their profile. If not, the user is not required to\nrespond to any security questions to reset their password. CWGT officials indicated that the\nsystem was designed this way because some agencies do not use government e-mail addresses\nand that a business case would have to be developed, and a task order put in place, to require a\nsystem change. Further, there is no Agency guidance prohibiting the use of free e-mail services\nwhen resetting E2 user passwords, or transmitting PII. To address this issue, the OCFO should\nrequire that the transmission of sensitive information, including password resets, be restricted to\na GSA e-mail address.\n\nNext Steps\n\nA November 18, 2008 Office of General Counsel (OGC) memorandum provided a legal opinion\nthat addressed questions raised by the GSA Senior Agency Information Security Officer\n(SAISO) regarding whether or not specific IT systems that are currently included in the GSA-\nCIO\'s FISMA inventory qualify as "Federally-Controlled Information Systems." The legal\nopinion considered the E-Travel systems, NETWORX Operational Support Systems, GSA\nSMARTPAY information systems, WITS3 Operational Support System, and two project\nmanagement systems used by PBS. In this memorandum, the OGC concluded that only the PBS\nproject management systems qualify as FISMA systems, as defined by the Federal Acquisition\nRegulation (FAR). This legal opinion seems to view FISMA information security requirements\nas being applicable only to "Federally Controlled Information Systems" per the FAR as opposed\nto the FISMA definition of applicability to "information systems used or operated by an agency\nor by a contractor of an agency or other organization on behalf of an agency." Therefore, it was\nconsidered a contract administration issue rather than a risk management challenge for GSA.\nRecent OMB feedback to the SAISO stated that systems that hold Federal data should comply\nwith all FISMA requirements and that controls for these systems should be risk-based and within\na reasonable cost for the benefit provided. With this informal correspondence on the question\nraised regarding contractor operated systems, OMB emphasizes that GSA should have a program\nfor managing the risk with these types of systems. This should include such things as\ndetermining the risk and the controls that are needed and ensuring that all IT security controls are\ncorrectly listed in contracts and that there are methods for the agency to check that contractors\nare complying with those requirements on an on-going basis.\n\n\n\n\n                                                11\n\x0cCONCLUSIONS\n\nThe OCFO and FAS-PMO have applied many of the management, operational, and technical\ncontrols established with FISMA and GSA\xe2\x80\x99s IT Security Program for E2, a \xe2\x80\x9cmoderate\xe2\x80\x9d risk\nsystem that maintains travel and financial data, including PII. Our review of 99 of 171 specific\nsecurity controls found the need for improvement in 11 of those controls, approximately 11% of\ncontrols tested. While Agency officials are taking actions to enhance security for E2, we found\nthe need to strengthen specific management, operational, and technical controls to maintain the\nsecurity of the system and its sensitive data.\n\nRisk management practices can be improved by strengthening management controls to ensure\nthat security controls required for and risks specific to GSA\xe2\x80\x99s implementation of E2 are\nconsidered and that that all needed risk assessment components have been addressed. We also\nfound the need to establish an ISA/MOU for the E2/GDS interconnection. The Agency can\nenhance operational readiness by ensuring that background investigations for contractors are\nperformed and that those contractors have completed annual security awareness training prior to\ngranting them full access to the E2 system. Additionally, applying additional technical controls,\nsuch as implementing two-factor authentication and restricting access to privileged information\non system administrative procedures, can strengthen system security. Opportunities also exist to\nstrengthen technical controls by assessing whether the use of an approved web domain should be\nrequired for accessing E2 and whether use of a secure e-mail address for account password reset\nis needed. Finally, securely configuring E2 databases and other system components would help\nto ensure the protection of the system and its data. Strengthening management, operational, and\ntechnical controls, as noted in this report, can facilitate ongoing efforts to ensure that E2, and the\nsensitive travel and financial data it maintains, are adequately secured.\n\n                                    RECOMMENDATIONS\n\nTo better manage IT security risks with the GSA implementation of E2 and ensure the\nconfidentiality, integrity and availability of this system and the data it maintains, we recommend\nthat the Office of the Chief Financial Officer (OCFO) work with the Federal Acquisition Service\n(FAS) Program Management Office (PMO) and the Office of the Chief Information Officer\n(OCIO), to take actions to strengthen:\n\n   1. Management controls by:\n\n           a) Ensuring that controls for and risks with GSA\xe2\x80\x99s implementation of E2, specific to\n              the GSA IT systems environment, have been adequately addressed.\n           b) Establishing a Memorandum of Understanding (MOU) and Interconnection\n              Security Agreement (ISA) for the E2 interconnection with the Global Distribution\n              System (GDS).\n\n\n\n\n                                                 12\n\x0c   2. Operational controls by:\n\n           a) Obtaining assurance that an adequate process is in place and being used to\n              effectively track the completion of background investigations and annual security\n              awareness training prior to providing contractors with full access to GSA data.\n\n   3. Technical controls by:\n\n           a) Identifying those users with privileged access and expedite implementation of\n              two-factor authentication for those users.\n           b) Restricting access to privileged procedures to those with a need-to-know.\n           c) Ensuring that GSA-Chief Information Officer (CIO) hardening guides are applied.\n           d) Disabling unnecessary functionality to eliminate the threat posed by providing\n              non-essential services and ensuring that software running on the networked\n              servers is properly patched to their most recent versions.\n           e) Determining whether a .com domain is necessary for the proper performance of\n              the operation of the E2 Solutions (E2) travel system, or whether an approved web\n              domain, such as .gov, .mil, or .Fed.us should be used.\n           f) Developing IT Security procedures to restrict the transmission of sensitive\n              information, including password resets, to government e-mail addresses.\n\n                               MANAGEMENT COMMENTS\n\nOur recommendations are directed to the GSA-CFO and focus on specific improvements for\nmanagement, operational, and technical controls needed to strengthen security for GSA\xe2\x80\x99s\nimplementation of the e-Government Travel Services E2 Solutions system. The CFO generally\nagrees with our findings and recommendations, and a copy of the written management response\nto our draft report is provided in Appendix G. Included in the management comments are views\nfrom the FAS-PMO, who has responsibilities for ensuring that FISMA requirements are met for\nthe government-wide E2 Solutions also offered by GSA to other Federal agencies. As discussed\nin our report, the GSA Office of the CFO is responsible for ensuring the implementation of\nadequate security controls for the Agency\xe2\x80\x99s implementation of the e-Government Travel\nServices E2 Solutions system as GSA\xe2\x80\x99s official travel management solution. With this FISMA\nsecurity audit, we also considered the key role of the GSA Senior Agency Information Security\nOfficer who is responsible, within the GSA IT Security Program, for ensuring that systems that\nhold Federal data comply with all FISMA requirements and that controls for these systems are\nrisk-based and within reasonable cost for the benefit provided. Our position, as noted throughout\nthe report, is that GSA\xe2\x80\x99s IT Security Program should ensure that risks are being managed with\nGSA e-Government systems, including this e-Government Travel Services E2 Solutions system.\nWhile some issues raised may require specific actions from the FAS-PMO for the government-\nwide e-Travel solution, our audit did not include a focused assessment of government-wide\nsecurity requirements for e-Government systems or full capabilities of the broader e-Government\nTravel Services E2 Solutions system offered by the FAS-PMO. Included in the CFO\xe2\x80\x99s\ncomments to our draft report is a response from the FAS-PMO that indicates disagreement\nrelated to two of our recommendations to the GSA-CFO.\n\n\n\n\n                                               13\n\x0cRecommendation #1b calls for the GSA-CFO to work with the FAS-PMO and the GSA-CIO to\nestablish a Memorandum of Understanding (MOU) and an Interconnection Security Agreement\n(ISA) for the E2 Interconnection with the Global Distribution System (GDS). As indicated with\nthe CFO\xe2\x80\x99s management response, the FAS-PMO disagreed with this recommendation, stating\nthat the GDSx application interface is considered within the E2 System boundary and that\nCWGT does not directly connect to the GDS via a connection type that requires an ISA/MOU.\nWe maintain that these agreements are needed to adequately secure GSA\xe2\x80\x99s systems and data\nunder the provisions of FISMA. By gaining assurance that the FAS-PMO has established all\nneeded MOUs/ISAs related to the government-wide solution provided to GSA, the CFO will be\nbetter equipped to manage security for GSA\xe2\x80\x99s implementation of E2. Attention to these critical\nagreements will also help the CFO to prevent, detect, deter, and recover from a compromise of\nGSA financial or sensitive travel data because of a security breach with an interconnecting\nsystem.\n\nRecommendation #3e also calls for the GSA-CFO to work with the FAS-PMO and GSA-CIO to\ndetermine whether a .com domain is necessary for the e-Government Travel Services E2\nSolutions system. In the CFO\xe2\x80\x99s management response, the FAS-PMO disagreed with this\nrecommendation, stating that ETS vendors do not fall under the category of a Federal agency\npublic website, as defined by OMB. We maintain the need for the CFO to take actions to\naddress risks identified by our audit, including following criteria for a Federal agency public\nwebsite since E2 is operated by an Agency, contractor, or other organization on behalf of the\nAgency. A decision as to whether or not it is acceptable to access E2 through a .com website\nrather than through a .gov, .mil, or .Fed.us website should be made to determine whether or not\nthe Agency may be able to leverage potential security enhancements.\n\n                                   INTERNAL CONTROLS\n\nAs discussed in the objective, scope, and methodology section of our report, which is shown in\nAppendix A, the objective of our audit was to determine if GSA has implemented management,\noperational, and technical security controls to effectively manage specific risks with a travel and\nfinancial management system which holds PII in accordance with the Federal Information\nSecurity Management Act of 2002 (FISMA) and the Agency\xe2\x80\x99s Information Technology (IT)\nSecurity Program. If not, what additional actions are needed to better manage IT security risks\nfor the system? As such, we assessed the effectiveness of implementation of the requirements of\nFISMA and the policies and procedures established with GSA\xe2\x80\x99s IT Security Program. This audit\nincluded a review of selected management, operational, and technical controls for \xe2\x80\x9cmoderate\nrisk\xe2\x80\x9d systems, as identified in National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-53, Recommended Security Controls for Federal Information Systems,\nRevision 2, December 2007. We did not test all controls required by NIST or detailed security\nrequirements established with GSA\xe2\x80\x99s IT Security Program for E2. The Results of Audit and\nRecommendations sections of the report state, in detail, the need to strengthen specific\nmanagement, operational, and technical controls with E2.\n\n\n\n\n                                                14\n\x0c                       FY 2009 OFFICE OF INSPECTOR GENERAL\n                          AUDIT OF THE E2 TRAVEL SYSTEM\n                                SECURITY CONTROLS\n                         REPORT NUMBER A080180/B/T/F09008\n\n              APPENDIX A \xe2\x80\x93 OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThis interim audit report on information security of the General Services Administration (GSA)\nimplementation of the E2 Solutions (E2) system was conducted under an ongoing, broader scope\naudit that we commenced in June 2008. This broader scope audit was divided into two phases.\nThe first phase involved a review of the implementation of select security controls established\nunder the Federal Information Security Management Act of 2002 (FISMA) and GSA\xe2\x80\x99s\nInformation Technology (IT) Security Program for GSA\xe2\x80\x99s implementation of E2. The second\nphase will assess GSA\xe2\x80\x99s implementation of E2 to determine how well the system is meeting\nmanagement and user requirements and the extent to which the system has achieved intended\ngoals and benefits associated with transitioning to an e-Government e-Travel system. We will\nalso determine whether GSA\xe2\x80\x99s implementation of E2 provides for efficient, effective, accurate,\nand secure travel transactions, including protection of personally identifiable information (PII)\nand other sensitive data such as Agency financial and travel information. Results of the second\nphase of the audit will be issued in a separate report.\n\nThe objective of our audit of information security for E2 was to determine if GSA has\nimplemented management, operational, and technical security controls to effectively manage\nrisks inherent with a travel and financial management system which holds PII, in accordance\nwith FISMA and GSA\xe2\x80\x99s IT Security Program. If not, what additional actions are needed to\nbetter manage IT security risks for the system? We focused our security review on the web\napplications, databases, and associated system devices utilized by GSA to access and utilize E2\nto provide travel management services. We did not include in this audit an assessment of the\neffectiveness or efficiency of the system or its functions or the accuracy of the data the system\nmaintains.\n\nTo gather information on E2, we met with system security officials, including the Federal\nAcquisition Service (FAS) Program Management Office (PMO) Information Systems Security\nOfficer (ISSO) and the Carlson Wagonlit Government Travel (CGWT) ISSO. We also reviewed\nappropriate system security documentation, including the system certification and accreditation\npackage, the interconnection security agreement between GSA and CWGT, memorandum of\nunderstanding, service level agreements, security incident reports transmitted to the US\nComputer Emergency Readiness Team (US-CERT), results of quarterly technical testing,\nquarterly updates to the system plan of action and milestones, security training records for\nindividuals with significant security responsibilities, the eAuthentication risk assessment, and the\nprivacy impact assessment. We performed a site visit to the primary data center in Plymouth,\nMinnesota on October 21, 2008, to the Disaster Recovery site in Omaha, Nebraska on October,\n24, 2008, and to the Iron Mountain backup tape facility in Bloomington, Minnesota on October\n23, 2008. We performed physical security reviews at all three sites and used commercially\navailable tools and agreed upon procedures to test web application security, database security,\nand operating system security for the E2 system.\n\n\n\n\n                                               A-1\n\x0cOur system tests included controls selected from each of the 17 families of controls identified by\nNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-53,\nRecommended Security Controls for Federal Information Systems, Revision 2 that establishes\nminimum information security requirements. Additionally, we reviewed applicable hardening\nand procedural guides published by the GSA Chief Information Officer and internal security\nprocedures developed by the E2 contractor, CWGT. To assess controls for the system, we relied\non information security legislation, policy, standards, procedures, and guidance, including the\nOffice of Management and Budget (OMB) Circular A-130, Revised, Appendix III, Security of\nFederal Automated Information Resources, November 2000; OMB Memorandum M-05-04,\nPolicies for Federal Agency Public Websites, December 2004; OMB Memorandum M-07-16,\nSafeguarding Against and Responding to the Breach of Personally Identifiable Information, May\n2007; OMB Memorandum M-08-23, Securing the Federal Government\xe2\x80\x99s Domain Name System\nInfrastructure, August 2008; Federal Information Processing Standards (FIPS) Publication\n(PUB) 199, Standards for Security Categorization of Federal Information and Information\nSystems, February 2004; FIPS PUB 200, Minimum Security Requirements for Federal\nInformation and Information Systems, March 2006; Federal Information Security Management\nAct of 2002 (FISMA); NIST special publications related to risk management, security planning,\nand certification and accreditation; GSA Information Technology (IT) Security Policy, CIO P\n2100.1D, June 2007; and related GSA-CIO IT Security procedural guides, technical guides, and\nstandards.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards between June 2008 and February 2009. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\nour findings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\n                                               A-2\n\x0c                       FY 2009 OFFICE OF INSPECTOR GENERAL\n                          AUDIT OF THE E2 TRAVEL SYSTEM\n                                SECURITY CONTROLS\n                         REPORT NUMBER A080180/B/T/F09008\n\nAPPENDIX B \xe2\x80\x93 SECURITY ROLES AND RESPONSIBILITIES RELATED TO GSA\xe2\x80\x99S\n                      IMPLEMENTATION OF E2\n\n                                                   GSA Administrator\n\n\n\n                                                           GSA CIO\n\n\n\n                                                         GSA SAISO\n\n\n                     FAS CIO                                                   GSA CFO\nFAS ISSM             \xe2\x80\x93 ETS AO\n\n\n                                                                        ETS \xe2\x80\x93 E2          Adventure\n                                                                         Carlson           Travel\n                     FAS ETS PMO                                        Wagonlit\nETS ISSO             \xe2\x80\x93 System Owner                                    Task Order       TMC Services\n\n\n\n\n           E2 User                 E2 Master\n            Group                   Contract                                        Legend\n                                Carlson Wagonlit\n\n                                                                                       GSA Entity\n\n                                                                                       Contractor\n                      Carlson                  Iron\n                      Wagonlit                Mountain                                 Other Entity\n                       ISSO\n\n\n\n\n                                                     B-1\n\x0c                                                           FY 2009 OFFICE OF INSPECTOR GENERAL\n                                                              AUDIT OF THE E2 TRAVEL SYSTEM\n                                                                    SECURITY CONTROLS\n                                                             REPORT NUMBER A080180/B/T/F09008\n\n                                        APPENDIX C - GSA-OIG E2 FISMA AUDIT PRELIMINARY OBSERVATIONS\n\nNIST 800-53                   NIST 800-53 Control              Observation (Condition)                             Criteria\nControl Family\n                              AC-2: Account Management                                     No reportable conditions identified.\n                              AC-3: Access Enforcement                                     No reportable conditions identified.\n                              AC-4: Information Flow                                       No reportable conditions identified.\n                              Enforcement\n                              AC-5: Separation of Duties                                 No reportable conditions identified.\n       Access Controls (AC)\n\n\n\n\n                              AC-6: Least Privilege            Access to privileged system administrative The information system enforces the\n                                                               procedures has not been restricted based on a most restrictive set of\n                                                               need-to-know.                                    rights/privileges/accesses needed by\n                                                                                                                users (or processes acting on behalf of\n                                                                                                                users) for the performance of specified\n                                                                                                                tasks.\n                              AC-7: Unsuccessful Login                                   No reportable conditions identified.\n                              Attempts\n                              AC-8: System Use Notification                                No reportable conditions identified.\n                              AC-11: Session Lock                                          No reportable conditions identified.\n                              AC-12: Session Termination                                   No reportable conditions identified.\n                              AC-13: Supervision and Review                                No reportable conditions identified.\n\n\n\n\n                                                              C-1\n\x0c NIST 800-53                         NIST 800-53 Control                Observation (Condition)                              Criteria\nControl Family\n                                     AC-17: Remote Access               While the Government-wide solution provides for The organization authorizes, monitors,\n      Access Controls (AC) (cont.)\n\n\n\n\n                                                                        the capability to implement two-factor and controls all methods of remote\n                                                                        authentication, GSA has not yet implemented access to the information system.\n                                                                        two-factor authentication within its IT system\n                                                                        environment.\n                                     AC-18: Wireless Access                                        No reportable conditions identified.\n                                     Restrictions\n                                     AC-19: Access Control for                                       No reportable conditions identified.\n                                     Portable and Mobile Devices\n                                     AC-20: Use of External                                          No reportable conditions identified.\n                                     Information System\n                                     AT-2: Security Awareness           GSA officials with significant security               The organization provides basic security\n                                                                        responsibilities have been provided with security     awareness training to all information\n      Awareness and Training (AT)\n\n\n\n\n                                                                        awareness training. We were unable to verify          system users (including managers and\n                                                                        that all contractors with privileged system and/or    senior executives) before authorizing\n                                                                        database administration access have received          access to the system, when required by\n                                                                        security awareness training due to deficiencies       system changes, and annually thereafter.\n                                                                        with the contractor\xe2\x80\x99s system for tracking training.\n                                     AT-3: Security Training                                           No reportable conditions identified.\n                                     AT-4: Security Training Records    We were unable to verify that all contractors with    The organization documents and\n                                                                        privileged system and/or database administration      monitors individual information system\n                                                                        access have received role-based training due to       security training activities including\n                                                                        deficiencies with the contractor\xe2\x80\x99s system for         basic security awareness training and\n                                                                        tracking training.                                    specific information system security\n                                                                                                                              training.\n\n\n\n\n                                                                       C-2\n\x0c NIST 800-53                               NIST 800-53 Control                 Observation (Condition)                    Criteria\nControl Family\n                                           AU-3: Content of Audit Records                             No reportable conditions identified.\n                  Audit & Accountability\n\n                                           AU-4: Audit Storage Capacity                               No reportable conditions identified.\n                                           AU-5: Response to Audit                                    No reportable conditions identified.\n                                           Processing Failures\n                          (AU)\n\n\n\n                                           AU-6: Audit Monitoring, Analysis,                          No reportable conditions identified.\n                                           and Reporting\n                                           AU-9: Protection of Audit                                  No reportable conditions identified.\n                                           Information\n                                           AU-10: Non-Repudiation                                     No reportable conditions identified.\n\n                                           CA-2: Security Assessments                                 No reportable conditions identified.\n Certification, Accreditation, and\n\n         Assessments (CA)\n\n\n\n\n                                           CA-3: Information System            Risks with the GDS Interconnections to     The organization authorizes all\n             Security\n\n\n\n\n                                           Connections                         E2 did not appear to be assessed and       connections from the information\n                                                                               managed within the C&A.                    system to other information systems\n                                                                                                                          outside of the accreditation boundary\n                                                                                                                          through the use of system connection\n                                                                                                                          agreements and monitors/controls the\n                                                                                                                          system connections on an ongoing\n                                                                                                                          basis.\n\n\n\n\n                                                                      C-3\n\x0c NIST 800-53                                   NIST 800-53 Control                Observation (Condition)                              Criteria\nControl Family\n                                               CA-4: Security Certification       GSA has not completed a Certification and            The organization conducts an assessment of\n                                                                                  Accreditation (C&A) of its implementation of E2,     the security controls in the information\n  Certification, Accreditation, and Security\n\n\n\n\n                                                                                  therefore, specific controls within GSA were not     system to determine the extent to which the\n                                                                                  documented.                                          controls are implemented correctly,\n                                                                                                                                       operating as intended, and producing the\n           Assessments (CA) (cont.)\n\n\n\n\n                                                                                                                                       desired outcome with respect to meeting the\n                                                                                                                                       security requirements for the system.\n                                               CA-5: Plan of Action and                                          No reportable conditions identified.\n                                               Milestones\n                                               CA-6: Security Accreditation       GSA has not completed a Certification and            The organization authorizes (i.e., accredits)\n                                                                                  Accreditation (C&A) of its implementation of E2,     the information system for processing before\n                                                                                  therefore, specific controls within GSA were not     operations and updates the authorization at\n                                                                                  documented.                                          least every three years or when there is a\n                                                                                                                                       significant change to the system. A senior\n                                                                                                                                       organizational official signs and approves the\n                                                                                                                                       security accreditation.\n                                               CA-7: Continuous Monitoring                                       No reportable conditions identified.\n                                               CM-3: Configuration Change                                        No reportable conditions identified.\n             Configuration\n             Management\n\n\n\n\n                                               Control\n                (CM)\n\n\n\n\n                                               CM-4: Monitoring Configuration                                    No reportable conditions identified.\n                                               Changes\n                                               CM-5: Access Restrictions for                                     No reportable conditions identified.\n                                               Change\n\n\n\n\n                                                                                C-4\n\x0cNIST 800-53                              NIST 800-53 Control                 Observation (Condition)                                 Criteria\nControl Family\n                                         CM-6: Configuration Settings        The databases and networked devices were not            The organization: (i) establishes mandatory\n                                                                             configured in accordance with NIST guidance and         configuration settings for information\n     Configuration Management (CM)\n\n\n\n\n                                                                             GSA hardening standards.                                technology products employed within the\n                                                                                 \xe2\x80\xa2 Our automated vulnerability testing               information system; (ii) configures the\n                                                                                     identified insecure configuration settings      security settings of information technology\n                                                                                     (insecure database accounts, unnecessary        products to the most restrictive mode\n                                                                                     services, and untimely patching) for the        consistent with operational requirements;\n                  (cont.)\n\n\n\n\n                                                                                     database and operating system that could        (iii) documents the configuration settings;\n                                                                                     affect the confidentiality, integrity, and      and (iv) enforces the configuration settings in\n                                                                                     availability of GSA\xe2\x80\x99s data.                     all components of the information system.\n                                         CM-7: Least Functionality           Networked devices were not configured in                The organization configures the information\n                                                                             accordance with NIST guidance and GSA                   system to provide only essential capabilities.\n                                                                             hardening standards.\n                                         CM-8: Information System                                              No reportable conditions identified.\n                                         Component Inventory\n                                         CP-2: Contingency Plan                                               No reportable conditions identified.\n             Contingency Planning (CP)\n\n\n\n\n                                         CP-3: Contingency Training                                           No reportable conditions identified.\n\n                                         CP-4: Contingency Plan Testing                                       No reportable conditions identified.\n                                         and Exercises\n                                         CP-5: Contingency Plan Update                                        No reportable conditions identified.\n                                         CP-7: Alternate Processing Site                                      No reportable conditions identified.\n                                         CP-10: Information System                                            No reportable conditions identified.\n                                         Recovery and Reconstitution\n\n\n\n\n                                                                           C-5\n\x0cNIST 800-53                                NIST 800-53 Control                  Observation (Condition)                                 Criteria\nControl Family\n                                           IA-2 User Identification and                                   No reportable conditions identified.\n     Identification and\n      Authentication\n\n\n\n                                           Authentication\n                                           IA-4: Identifier Management                                    No reportable conditions identified.\n            (IA)\n\n\n\n\n                                           IA-5: Authenticator Management                                 No reportable conditions identified.\n\n                                           IR-2: Incident Response Training                               No reportable conditions identified.\n                 Incident Response (IR)\n\n\n\n\n                                           IR-3: Incident Response Testing                                No reportable conditions identified.\n                                           and Exercises\n                                           IR-4: Incident Handling                                        No reportable conditions identified.\n\n                                           IR-5: Incident Monitoring                                      No reportable conditions identified.\n\n                                           IR-6: Incident Reporting                                       No reportable conditions identified.\n\n                                           MA-2: Controlled Maintenance                                   No reportable conditions identified.\n                        Maintenance (MA)\n\n\n\n\n                                           MA-3: Maintenance Tools                                        No reportable conditions identified.\n\n                                           MA-4: Remote Maintenance                                       No reportable conditions identified.\n\n                                           MA-5: Maintenance Personnel                                    No reportable conditions identified.\n\n                                           MP-2: Media Access                                             No reportable conditions identified.\n        Protection (MP)\n\n\n\n\n                                           MP-4: Media Storage                                            No reportable conditions identified.\n            Media\n\n\n\n\n                                           MP-5: Media Transport                                          No reportable conditions identified.\n                                           MP-6: Media Sanitization and                                   No reportable conditions identified.\n                                           Disposal\n\n\n                                                                              C-6\n\x0c NIST 800-53                      NIST 800-53 Control                Observation (Condition)                           Criteria\nControl Family\n                                  PE-2: Physical Access                                        No reportable conditions identified.\n                                  Authorizations\n                                  PE-3: Physical Access Control                                No reportable conditions identified.\n                                  PE-6: Monitoring Physical                                    No reportable conditions identified.\n                                  Access\n     Physical and Environmental\n\n\n\n\n                                  PE-7: Visitor Control                                        No reportable conditions identified.\n           Protection (PE)\n\n\n\n\n                                  PE-8: Access Records                                         No reportable conditions identified.\n                                  PE-9: Power Equipment and                                    No reportable conditions identified.\n                                  Power Cabling\n                                  PE-10: Emergency Shutoff                                     No reportable conditions identified.\n                                  PE-11: Emergency Power                                       No reportable conditions identified.\n                                  PE-12: Emergency Lighting                                    No reportable conditions identified.\n                                  PE-13: Fire Protection                                       No reportable conditions identified.\n                                  PE-14: Temperature and                                       No reportable conditions identified.\n                                  Humidity Controls\n                                  PE-15: Water Damage Protection                               No reportable conditions identified.\n                                  PE-16: Delivery and Removal                                  No reportable conditions identified.\n                                  PL-2: System Security Plan                                   No reportable conditions identified.\n            Planning (PL)\n\n\n\n\n                                  PL-3: System Security Plan                                   No reportable conditions identified.\n                                  Update\n\n                                  PL-4: Rules of Behavior                                      No reportable conditions identified.\n                                  PL-5: Privacy Impact Assessment                              No reportable conditions identified.\n\n\n\n\n                                                                    C-7\n\x0c NIST 800-53                    NIST 800-53 Control             Observation (Condition)                             Criteria\nControl Family\n                                PS-2: Position Categorization                                 No reportable conditions identified.\n                                PS-3: Personnel Screening                                     No reportable conditions identified.\n      Personnel Security (PS)\n\n\n\n\n                                PS-4: Personnel Termination                                   No reportable conditions identified.\n                                PS-5: Personnel Transfer                                      No reportable conditions identified.\n                                PS-6: Access Agreements                                       No reportable conditions identified.\n                                PS-7: Third-Party Personnel     Delays in completing background investigations.     The organization establishes personnel\n                                Security                                                                            security requirements including security\n                                                                                                                    roles and responsibilities for third-party\n                                                                                                                    providers and monitors provider\n                                                                                                                    compliance.\n                                PS-8 Personnel Sanctions                                      No reportable conditions identified.\n                                RA-2: Security Categorization                                 No reportable conditions identified.\n                                RA-3: Risk Assessment           An assessment of risk to E2, as implemented         The organization conducts assessments of\n      Risk Assessment (RA)\n\n\n\n\n                                                                within GSA\xe2\x80\x99s IT system environment, has not         the risk and magnitude of harm that could\n                                                                been performed.                                     result from the unauthorized access, use,\n                                                                                                                    disclosure, disruption, modification, or\n                                                                                                                    destruction of information and\n                                                                                                                    information systems that support the\n                                                                                                                    operations and assets of the agency\n                                                                                                                    (including information and information\n                                                                                                                    systems managed/operated by external\n                                                                                                                    parties).\n                                RA-5: Vulnerability Scanning                                  No reportable conditions identified.\n\n\n\n\n                                                                C-8\n\x0c NIST 800-53                                      NIST 800-53 Control             Observation (Condition)                          Criteria\nControl Family\n                                                  SA-2: Allocation of Resources                             No reportable conditions identified.\n     System and Service\n      Acquisition (SA)\n\n\n\n\n                                                  SA-3: Life Cycle Support                                  No reportable conditions identified.\n\n\n                                                  SA-4: Acquisitions                                        No reportable conditions identified.\n\n\n                                                  SC-5: Denial of Service                                   No reportable conditions identified.\n                                                  Protection\n                                                  SC-8: Transmission Integrity                              No reportable conditions identified.\n                                                  SC-9: Transmission                                        No reportable conditions identified.\n                                                  Confidentiality\n          System and Information Integrity (SI)\n\n\n\n\n                                                  SC-12: Cryptographic Key                                  No reportable conditions identified.\n                                                  Establishment and Management\n                                                  SC-13: Use of Cryptography                                No reportable conditions identified.\n                                                  SC-17: Public Key                                         No reportable conditions identified.\n                                                  Infrastructure Certificates\n                                                  SI-2 Flaw Remediation                                     No reportable conditions identified.\n                                                  SI-3: Malicious Code                                      No reportable conditions identified.\n                                                  Protection\n                                                  SI-4: Information System                                  No reportable conditions identified.\n                                                  Monitoring Tools and\n                                                  Techniques\n                                                  SI-5: Security Alerts and                                 No reportable conditions identified.\n                                                  Advisories\n                                                  SI-10: Information Accuracy,                              No reportable conditions identified.\n                                                  Completeness, Validity, and\n                                                  Authenticity\n                                                  SI-11: Error Handling                                     No reportable conditions identified.\n\n\n                                                                                  C-9\n\x0c                      FY 2009 OFFICE OF INSPECTOR GENERAL\n                         AUDIT OF THE E2 TRAVEL SYSTEM\n                               SECURITY CONTROLS\n                        REPORT NUMBER A080180/B/T/F09008\n\n                   APPENDIX D \xe2\x80\x93 E2 SYSTEM INTERCONNECTIONS\n                   APPENDIX E \xe2\x80\x93 DATABASE SECURITY RESULTS\n                    APPENDIX F \xe2\x80\x93 NETWORK SECURITY RESULTS\n\n\n\n\nDue to the sensitive nature of information contained in this appendix, only reports\nprovided to system security officials and the GSA Senior Agency Information Security\nOfficer contain detailed technical security assessment results in Appendices D-F. Requests\nfor the details of the technical security assessment results should be referred to the Deputy\nAssistant Inspector General for Information Technology Audits at 703-308-1223.\n\x0cFY 2009 OFFICE OF INSPECTOR GENERAL\n   AUDIT OF THE E2 TRAVEL SYSTEM\n         SECURITY CONTROLS\n  REPORT NUMBER A080180/B/T/F09008\n\nAPPENDIX G \xe2\x80\x93 MANAGEMENT COMMENTS\n\n\n\n\n                G-1\n\x0cG-2\n\x0cG-3\n\x0c                                FY 2009 OFFICE OF INSPECTOR GENERAL\n                                   AUDIT OF THE E2 TRAVEL SYSTEM\n                                         SECURITY CONTROLS\n                                  REPORT NUMBER A080180/B/T/F09008\n\n                                   APPENDIX H \xe2\x80\x93 REPORT DISTRIBUTION\n\nWITH APPENDICES D-F                                                                                   Electronic Copies\nOffice of the Chief Financial Officer (B) ..............................................................................4\n          Chief Financial Officer ..............................................................................................3\n          Director, Office of Financial Management Systems..................................................1\nFederal Acquisition Service (Q) ............................................................................................5\n       Commissioner ...............................................................................................................1\n       Acting Director, Office of Travel and Transportation Services ...................................1\n       Authorizing Official ......................................................................................................1\n       Information Systems Security Manager........................................................................1\n       Information Systems Security Officer ..........................................................................1\nOffice of the Chief Information Officer (I)............................................................................2\n       Office of the Senior Agency Information Security Officer ..........................................1\n\n\nWITHOUT APPENDICES D-F\nChief Human Capital Officer (C) ..........................................................................................1\nInternal Control and Audit Division (BEI) ............................................................................1\nAssistant Inspector General for Auditing (JA and JAO) .......................................................2\nDeputy Assistant Inspector General for Finance and Administrative Audits (JA-F) ............1\nDeputy Assistant Inspector General for Acquisition Audits (JA-A) .....................................1\nAdministration and Data Systems Staff (JAS).......................................................................1\nAssistant Inspector General for Investigations (JI) ................................................................1\nAudit Liaison, Office of the Chief Financial Officer (B) ......................................................1\nAudit Liaison, Federal Acquisition Service (Q) ....................................................................1\n\n\n\n\n                                                                   H-1\n\x0c'